dosubot[bot] commented on issue #36355: URL: https://github.com/apache/superset/issues/36355#issuecomment-3595878005
<!-- Greeting --> Hi @brenot-a! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the superset team. <!-- Answer --> In Superset 5.0.0, only chart owners (or admins) can favorite a chart because the backend explicitly checks for ownership in the AddFavoriteChartCommand by calling `security_manager.raise_for_ownership(chart)`. If you're not an owner, this raises a forbidden error and blocks the action, even if you have access to view the chart. This is not configurable via roles or permissions and appears to be an intentional design choice in the current codebase, similar to how draft dashboards are restricted to owners for privacy and curation reasons [see code reference](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/commands/chart/fave.py#L35-L57). If you want to allow users with access (not just owners) to favorite charts, you would need to modify the code to use `raise_for_access` instead of `raise_for_ownership` in the relevant command. This would let anyone with access to the chart's datasource favorite it, not just owners. Be aware that relaxing this restriction could have privacy or curation implications, depending on your organization's needs. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/512dc2dc-2484-4419-bfd3-c4aa7c3cfe44?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/512dc2dc-2484-4419-bfd3-c4aa7c3cfe44?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/512dc2dc-2484-4419-bfd3-c4aa7c3cfe44?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/512dc2dc-2484-4419-bfd3-c4aa7c3cfe44?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/512dc2dc-2484-4419-bfd3-c4aa7c3cfe44?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/512dc2dc-2484-4419-bfd3-c4aa7c3cfe44?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/512dc2dc-2484-4419-bfd3-c4aa7c3cfe44?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github) [](https://cursor.com/link/prompt?text=In%20Superset%205.0.0%2C%20only%20chart%20owners%20%28or%20admins%29%20can%20favorite%20a%20chart%20because%20the%20backend%20explicitly%20checks%20for%20ownership%20in%20the%20AddFavoriteChartCommand%20by%20calling%20%60security_manager.raise_for_ownership%28chart%29%60.%20If%20you%27re%20not%20an%20owner%2C%20this%20raises%20a%20forbidden%20error%20and%20blocks%20the%20action%2C%20even%20if%20you%20have%20access%20to%20view%20the%20chart.%20This%20is%20not%20configurable%20via%20roles%20or%20permissions%20and%20appears%20to%20be%20an%20intentional%20design%20choice%20in%20the%20current%20codebase%2C%20similar%20to%20how%20draft%20dashboards%20are%20restricted%20to%20owners%20for%20privacy%20and%20curation%20reasons%C2%A0%5Bsee%20code%20reference% 5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/commands/chart/fave.py%23L35-L57%29.%0A%0AIf%20you%20want%20to%20allow%20users%20with%20access%20%28not%20just%20owners%29%20to%20favorite%20charts%2C%20you%20would%20need%20to%20modify%20the%20code%20to%20use%20%60raise_for_access%60%20instead%20of%20%60raise_for_ownership%60%20in%20the%20relevant%20command.%20This%20would%20let%20anyone%20with%20access%20to%20the%20chart%27s%20datasource%20favorite%20it%2C%20not%20just%20owners.%20Be%20aware%20that%20relaxing%20this%20restriction%20could%20have%20privacy%20or%20curation%20implications%2C%20depending%20on%20your%20organization%27s%20needs.) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//g ithub.com/apache/superset/issues/36355) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
